<!DOCTYPE html>





<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 3.9.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=7.4.0">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32.png?v=7.4.0">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16.png?v=7.4.0">
  <link rel="mask-icon" href="/images/avatar.svg?v=7.4.0" color="#222">
  <link rel="alternate" href="/atom.xml" title="Anemone's Blog" type="application/atom+xml">
  <meta name="google-site-verification" content="Re5JdegRYzNFco-rC9lYIsvSWIgh5JvyfhuEaZCeFCk">
  <meta name="baidu-site-verification" content="opTC8YN3Pn">

<link rel="stylesheet" href="/css/main.css?v=7.4.0">


<link rel="stylesheet" href="https://cdn.bootcss.com/font-awesome/4.7.0/css/font-awesome.min.css">


<script id="hexo-configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Pisces',
    version: '7.4.0',
    exturl: false,
    sidebar: {"position":"left","display":"post","offset":12,"onmobile":false},
    copycode: {"enable":false,"show_result":false,"style":null},
    back2top: {"enable":true,"sidebar":false,"scrollpercent":false},
    bookmark: {"enable":false,"color":"#222","save":"auto"},
    fancybox: false,
    mediumzoom: false,
    lazyload: false,
    pangu: false,
    algolia: {
      appID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    },
    localsearch: {"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":true,"preload":false},
    path: 'search.xml',
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    translation: {
      copy_button: '复制',
      copy_success: '复制成功',
      copy_failure: '复制失败'
    },
    sidebarPadding: 40
  };
</script>

  <meta name="description" content="About本文列出四大安全会议（USENIX、CCS、NDSS和S&amp;amp;P）近5年来与Web安全有关的研究，已发现web方向的研究点。XSS研究热点聚焦在DOM-XSS上：Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild,">
<meta name="keywords" content="Web安全,学术">
<meta property="og:type" content="article">
<meta property="og:title" content="2014-2019Web安全研究方向调查报告">
<meta property="og:url" content="http://anemone.top/学术-学术圈2014-2019Web安全方向研究情况/index.html">
<meta property="og:site_name" content="Anemone&#39;s Blog">
<meta property="og:description" content="About本文列出四大安全会议（USENIX、CCS、NDSS和S&amp;amp;P）近5年来与Web安全有关的研究，已发现web方向的研究点。XSS研究热点聚焦在DOM-XSS上：Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild,">
<meta property="og:locale" content="zh-CN">
<meta property="og:image" content="http://anemone.top/学术-学术圈2014-2019Web安全方向研究情况/1546778397220.png">
<meta property="og:image" content="http://anemone.top/学术-学术圈2014-2019Web安全方向研究情况/1546778565366.png">
<meta property="og:image" content="http://anemone.top/学术-学术圈2014-2019Web安全方向研究情况/1547798650411.png">
<meta property="og:image" content="http://anemone.top/学术-学术圈2014-2019Web安全方向研究情况/1547692426847.png">
<meta property="og:image" content="http://anemone.top/学术-学术圈2014-2019Web安全方向研究情况/1547692490082.png">
<meta property="og:updated_time" content="2019-09-22T10:14:18.763Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="2014-2019Web安全研究方向调查报告">
<meta name="twitter:description" content="About本文列出四大安全会议（USENIX、CCS、NDSS和S&amp;amp;P）近5年来与Web安全有关的研究，已发现web方向的研究点。XSS研究热点聚焦在DOM-XSS上：Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild,">
<meta name="twitter:image" content="http://anemone.top/学术-学术圈2014-2019Web安全方向研究情况/1546778397220.png">
  <link rel="canonical" href="http://anemone.top/学术-学术圈2014-2019Web安全方向研究情况/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome: false,
    isPost: true,
    isPage: false,
    isArchive: false
  };
</script>

  <title>2014-2019Web安全研究方向调查报告 | Anemone's Blog</title>
  








  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .logo,
  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-CN">
  <div class="container use-motion">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-meta">

    <div>
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">Anemone's Blog</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
  </div>

  <div class="site-nav-toggle">
    <button aria-label="切换导航栏">
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>


<nav class="site-nav">
  
  <ul id="menu" class="menu">
      
      
      
        
        <li class="menu-item menu-item-home">
      
    

    <a href="/" rel="section"><i class="fa fa-fw fa-home"></i>首页</a>

  </li>
      
      
      
        
        <li class="menu-item menu-item-about">
      
    

    <a href="/about/" rel="section"><i class="fa fa-fw fa-user"></i>关于</a>

  </li>
      
      
      
        
        <li class="menu-item menu-item-tags">
      
    

    <a href="/tags/" rel="section"><i class="fa fa-fw fa-tags"></i>标签</a>

  </li>
      
      
      
        
        <li class="menu-item menu-item-categories">
      
    

    <a href="/categories/" rel="section"><i class="fa fa-fw fa-th"></i>分类</a>

  </li>
      
      
      
        
        <li class="menu-item menu-item-archives">
      
    

    <a href="/archives/" rel="section"><i class="fa fa-fw fa-archive"></i>归档</a>

  </li>
      <li class="menu-item menu-item-search">
        <a href="javascript:;" class="popup-trigger">
        
          <i class="fa fa-search fa-fw"></i>搜索</a>
      </li>
    
  </ul>

</nav>
  <div class="site-search">
    <div class="popup search-popup">
    <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocorrect="off" autocapitalize="none"
           placeholder="搜索..." spellcheck="false"
           type="text" id="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result"></div>

</div>
<div class="search-pop-overlay"></div>

  </div>
</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>
  <div class="reading-progress-bar"></div>


    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
            

          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
      <article itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block post">
    <link itemprop="mainEntityOfPage" href="http://anemone.top/学术-学术圈2014-2019Web安全方向研究情况/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="Anemone">
      <meta itemprop="description" content="关注Web安全、移动安全、Fuzz测试和机器学习">
      <meta itemprop="image" content="/images/avatar.jpg">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Anemone's Blog">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">2014-2019Web安全研究方向调查报告

          
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              
                
              

              <time title="创建时间：2019-02-27 10:16:20" itemprop="dateCreated datePublished" datetime="2019-02-27T10:16:20+08:00">2019-02-27</time>
            </span>
          
            

            
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="fa fa-calendar-check-o"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2019-09-22 18:14:18" itemprop="dateModified" datetime="2019-09-22T18:14:18+08:00">2019-09-22</time>
              </span>
            
          
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing"><a href="/categories/Web安全-学术/" itemprop="url" rel="index"><span itemprop="name">Web安全-学术</span></a></span>

                
                
              
            </span>
          

          
            <span id="/学术-学术圈2014-2019Web安全方向研究情况/" class="post-meta-item leancloud_visitors" data-flag-title="2014-2019Web安全研究方向调查报告" title="阅读次数">
              <span class="post-meta-item-icon">
                <i class="fa fa-eye"></i>
              </span>
              <span class="post-meta-item-text">阅读次数：</span>
              <span class="leancloud-visitors-count"></span>
            </span>
          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h1 id="About"><a href="#About" class="headerlink" title="About"></a>About</h1><p>本文列出四大安全会议（USENIX、CCS、NDSS和S&amp;P）近5年来与Web安全有关的研究，已发现web方向的研究点。</p><h1 id="XSS"><a href="#XSS" class="headerlink" title="XSS"></a>XSS</h1><p>研究热点聚焦在DOM-XSS上：</p><h2 id="Don’t-Trust-The-Locals-Investigating-the-Prevalence-of-Persistent-Client-Side-Cross-Site-Scripting-in-the-Wild-ndss19"><a href="#Don’t-Trust-The-Locals-Investigating-the-Prevalence-of-Persistent-Client-Side-Cross-Site-Scripting-in-the-Wild-ndss19" class="headerlink" title="Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild, ndss19*"></a>Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild, ndss19*</h2><a id="more"></a>

<p>我们通过污点跟踪技术寻找客户端的XSS问题(感觉跟“Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting”的研究很像)</p>
<h2 id="Riding-out-DOMsday-Towards-Detecting-and-Preventing-DOM-Cross-Site-Scripting-ndss18"><a href="#Riding-out-DOMsday-Towards-Detecting-and-Preventing-DOM-Cross-Site-Scripting-ndss18" class="headerlink" title="Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting, ndss18*"></a>Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting, ndss18*</h2><h3 id="什么是DOM型XSS："><a href="#什么是DOM型XSS：" class="headerlink" title="什么是DOM型XSS："></a>什么是DOM型XSS：</h3><p><img src="/学术-学术圈2014-2019Web安全方向研究情况/1546778397220.png" alt="1546778397220"></p>
<h3 id="怎么防御："><a href="#怎么防御：" class="headerlink" title="怎么防御："></a>怎么防御：</h3><p><img src="/学术-学术圈2014-2019Web安全方向研究情况/1546778565366.png" alt="1546778565366"></p>
<h3 id="方法"><a href="#方法" class="headerlink" title="方法"></a>方法</h3><p>我们使用了向V8引擎注入污点技术，具体来说，我们在每个输入的字符串上增加了一个标记，最后看这些标记是否会被document.write()等函数(sink function)带出。在中间过程中我们需要考虑encodeURI等函数，他们应使标记失效。</p>
<ul>
<li><p>sink function：</p>
<ul>
<li>document.write()</li>
<li>document.writeln()</li>
<li>eval()</li>
<li>设置src属性的setAttribute</li>
<li>设置href属性的setAttribute</li>
<li>设置style属性的setAttribute</li>
<li>设置事件监听属性（onload/onerror/…）的setAttribute</li>
<li>在setTimeout和setInterval中的string2function</li>
<li>对document.cookie赋值</li>
<li>对document.location赋值</li>
</ul>
</li>
<li><p>使标记失效的函数</p>
<ul>
<li><p>escape</p>
<p>escape不编码字符有69个：*，+，-，.，/，@，_，0-9，a-z，A-Z</p>
</li>
<li><p>encodeURI</p>
<p>encodeURI不编码字符有82个：!，#，$，&amp;，’，(，)，*，+，,，-，.，/，:，;，=，?，@，_，~，0-9，a-z，A-Z</p>
</li>
<li><p>encodeURIComponent</p>
<p>encodeURIComponent不编码字符有71个：!， ‘，(，)，*，-，.，_，~，0-9，a-z，A-Z</p>
</li>
<li><p>encodeHTML</p>
<p>需要自己写，将字符串转换成html实体编码</p>
</li>
</ul>
</li>
</ul>
<h3 id="实验结果"><a href="#实验结果" class="headerlink" title="实验结果"></a>实验结果</h3><p>我们与其他静态工具做对比，发现BurpSuite只发现了10%的问题，但是发现了一些其他我们没有发现的问题，而其他工具存在相当高的误报率——95%</p>
<h3 id="相关链接"><a href="#相关链接" class="headerlink" title="相关链接"></a>相关链接</h3><ul>
<li><a href="https://github.com/wrmelicher/ChromiumTaintTracking" target="_blank" rel="noopener">https://github.com/wrmelicher/ChromiumTaintTracking</a></li>
<li>S. Lekies, B. Stock, and M. Johns, “25 million flows later: large-scale detection of DOM-based XSS,” in Proc. CCS, 2013, pp. 1193–1204.</li>
</ul>
<h2 id="Precise-Client-side-Protection-against-DOM-based-Cross-Site-Scripting-usenix14"><a href="#Precise-Client-side-Protection-against-DOM-based-Cross-Site-Scripting-usenix14" class="headerlink" title="Precise Client-side Protection against DOM-based Cross-Site Scripting, usenix14"></a>Precise Client-side Protection against DOM-based Cross-Site Scripting, usenix14</h2><p>目前对XSS的防御依赖于字符串检测，本文通过实验揭示了这种方法不能抵御所有的XSS攻击，为此，本文提出了一种基于污点跟踪和感知的XSS过滤器。</p>
<h2 id="Static-Detection-of-Second-Order-Vulnerabilities-in-Web-Applications-usenix14"><a href="#Static-Detection-of-Second-Order-Vulnerabilities-in-Web-Applications-usenix14" class="headerlink" title="Static Detection of Second-Order Vulnerabilities in Web Applications, usenix14"></a>Static Detection of Second-Order Vulnerabilities in Web Applications, usenix14</h2><p>Second-Order漏洞是指攻击载荷首先存储在应用服务器上，接着在其他操作时触发的漏洞，本文第一个提出了检测该漏洞的静态代码分析方法，其通过检测连接数据库或对web应用内存的读取和写入操作检测该问题。</p>
<h1 id="EXP-Generation"><a href="#EXP-Generation" class="headerlink" title="EXP Generation"></a>EXP Generation</h1><h2 id="NAVEX-Precise-and-Scalable-Exploit-Generation-for-Dynamic-Web-Applications-usenix18"><a href="#NAVEX-Precise-and-Scalable-Exploit-Generation-for-Dynamic-Web-Applications-usenix18" class="headerlink" title="NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications, usenix18*"></a>NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications, usenix18*</h2><p>本文构造了一个可拓展的动静结合的web漏洞生成框架，第一步，使用符号执行构建各个模块的行为模型，第二步，构建应用并且使用爬虫获取网站路径，同时使用动态符号执行最大化代码覆盖范围</p>
<h3 id="相关资料"><a href="#相关资料" class="headerlink" title="相关资料"></a>相关资料</h3><ul>
<li><a href="https://github.com/aalhuz/navex" target="_blank" rel="noopener">https://github.com/aalhuz/navex</a></li>
</ul>
<h2 id="Chainsaw-Chained-Automated-Workflow-based-Exploit-Generation-ccs16"><a href="#Chainsaw-Chained-Automated-Workflow-based-Exploit-Generation-ccs16" class="headerlink" title="Chainsaw: Chained Automated Workflow-based Exploit Generation, ccs16*"></a>Chainsaw: Chained Automated Workflow-based Exploit Generation, ccs16*</h2><p>我们设计了一套EXP生成工具，以提高web注入漏洞的识别能力。为此该工具基于应用的数据流，数据库模型和本机函数等应对web应用程序的多模块，用户输入和多层架构的挑战。</p>
<h1 id="DoS"><a href="#DoS" class="headerlink" title="DoS"></a>DoS</h1><h2 id="Rampart-protecting-web-applications-from-CPU-exhaustion-denial-of-service-attacks-defend-usenix18"><a href="#Rampart-protecting-web-applications-from-CPU-exhaustion-denial-of-service-attacks-defend-usenix18" class="headerlink" title="Rampart: protecting web applications from CPU-exhaustion denial-of-service attacks(defend), usenix18"></a>Rampart: protecting web applications from CPU-exhaustion denial-of-service attacks(defend), usenix18</h2><p>高度复杂的DoS攻击只需要少量请求就可导致大量资源消耗，为此，我们设计工具Rampart，它通过统计方法和函数级别的程序分析方法，合成并部署过滤器来阻止DoS攻击。</p>
<h2 id="Tail-Attacks-on-Web-Applications-ccs17"><a href="#Tail-Attacks-on-Web-Applications-ccs17" class="headerlink" title="Tail Attacks on Web Applications, ccs17"></a>Tail Attacks on Web Applications, ccs17</h2><p>本文介绍了一种新型的DDoS攻击，这种攻击利用了网络应用的复杂性和依赖于分布式的特性，使网络响应大于1秒，我们构建了一个模型来检测这一攻击并且提出了一种防御方法。</p>
<h2 id="Freezing-the-Web-A-Study-of-ReDoS-Vulnerabilities-in-JavaScript-based-Web-Servers-usenix18"><a href="#Freezing-the-Web-A-Study-of-ReDoS-Vulnerabilities-in-JavaScript-based-Web-Servers-usenix18" class="headerlink" title="Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers, usenix18"></a>Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers, usenix18</h2><p>JavaScript的单线程执行模型使得基于JavaScript的web服务器特别容易受到ReDoS攻击。因此我们对2846个流行的网站进行分析，并且发现了25个之前未知的流行模块漏洞。</p>
<h2 id="The-impact-of-regular-expression-denial-of-service-ReDoS-in-practice-an-empirical-study-at-the-ecosystem-scale-survey-fse18"><a href="#The-impact-of-regular-expression-denial-of-service-ReDoS-in-practice-an-empirical-study-at-the-ecosystem-scale-survey-fse18" class="headerlink" title="The impact of regular expression denial of service (ReDoS) in practice: an empirical study at the ecosystem scale(survey), fse18"></a>The impact of regular expression denial of service (ReDoS) in practice: an empirical study at the ecosystem scale(survey), fse18</h2><p>正则表达式是导致拒绝服务的新原因，本文研究了ReDoS的三个方面：实际中超线性正则表达式（super-linear regex）的使用率，他们如何预防DoS攻击以及他们如何被修复。本文发现大量的JavaScript和Python依靠正则表达式，同时反模式（anti-patterns）有很少的漏报但是有很多误报，因此这些反模式是必要但不充分的。最后发现对待超线性的表达式，开发者愿意修改它而不是截断输入或是写新的。</p>
<h2 id="ReScue-crafting-regular-expression-DoS-attacks-ase18"><a href="#ReScue-crafting-regular-expression-DoS-attacks-ase18" class="headerlink" title="ReScue: crafting regular expression DoS attacks, ase18"></a>ReScue: crafting regular expression DoS attacks, ase18</h2><p>本文介绍了一种三阶段灰盒分析技术ReScure，它可以自动生成ReDoS字符串。它通过遗传算法选择种子，接着使用正则表达式算法选择具有最大搜索时间的字符串。</p>
<p>备注：南大计算机做的研究，好像也在搞移动测试</p>
<h1 id="Cookie"><a href="#Cookie" class="headerlink" title="Cookie"></a>Cookie</h1><h2 id="Who-left-open-the-cookie-jar-a-comprehensive-evaluation-of-third-party-cookie-policies-survey-usenix18"><a href="#Who-left-open-the-cookie-jar-a-comprehensive-evaluation-of-third-party-cookie-policies-survey-usenix18" class="headerlink" title="Who left open the cookie jar? a comprehensive evaluation of third-party cookie policies (survey), usenix18"></a>Who left open the cookie jar? a comprehensive evaluation of third-party cookie policies (survey), usenix18</h2><p>cookie容易受到XSS攻击，为此浏览器形成了各种保护机制和政策，本文能通过一个强制执行第三方请求的框架自动化评估这些防御机制的有效性，我们评估了7个浏览器的策略实现和46个浏览器插件，我们发现即使是内置的保护机制也可以被许多新技术绕过。</p>
<p>思考：Android Browser是不是也有这类问题？</p>
<h2 id="Cookies-Lack-Integrity-Real-World-Implications-survey-usenix15"><a href="#Cookies-Lack-Integrity-Real-World-Implications-survey-usenix15" class="headerlink" title="Cookies Lack Integrity: Real-World Implications (survey), usenix15"></a>Cookies Lack Integrity: Real-World Implications (survey), usenix15</h2><p>设置了secure标志的cookie会被https加密传输，然而cookie的完整性仍然会受到攻击（没有应用HSTS），本文旨在了解攻击者如何进行一个cookie注入攻击。</p>
<h2 id="The-Cracked-Cookie-Jar-HTTP-Cookie-Hijacking-and-the-Exposure-of-Private-Information-survey-S-amp-P16"><a href="#The-Cracked-Cookie-Jar-HTTP-Cookie-Hijacking-and-the-Exposure-of-Private-Information-survey-S-amp-P16" class="headerlink" title="The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information (survey), S&amp;P16"></a>The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information (survey), S&amp;P16</h2><p>由于不使用HTTPS，http存在中间人攻击的问题，本文总结了这些问题。</p>
<h1 id="CSP"><a href="#CSP" class="headerlink" title="CSP"></a>CSP</h1><h2 id="CCSP-Controlled-Relaxation-of-Content-Security-Policies-by-Runtime-Policy-Composition-defense-usenix17"><a href="#CCSP-Controlled-Relaxation-of-Content-Security-Policies-by-Runtime-Policy-Composition-defense-usenix17" class="headerlink" title="CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition (defense), usenix17"></a>CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition (defense), usenix17</h2><p>CSP(Content Security Policy)是W3C设计的用来防御内容注入的标准，但是其静态白名单的策略被先前的研究质疑，本文介绍了一种CSP的拓展CCSP，旨在克服静态白名单所来带来的限制同时避免大幅度修改原先的CSP。</p>
<h2 id="CSPAutoGen-Black-box-Enforcement-of-Content-Security-Policy-upon-Real-world-Websites-defense-ccs16"><a href="#CSPAutoGen-Black-box-Enforcement-of-Content-Security-Policy-upon-Real-world-Websites-defense-ccs16" class="headerlink" title="CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites (defense), ccs16"></a>CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites (defense), ccs16</h2><p>CSP是防御XSS攻击的好方式，但是据了解只有0.002%的网站使用了CSP，为此我们设计了工具CSPAutoGen，他为每个网站训练一个模板，再基于模板产生CSP规则。</p>
<h1 id="CORS"><a href="#CORS" class="headerlink" title="CORS"></a>CORS</h1><h2 id="We-Still-Don’t-Have-Secure-Cross-Domain-Requests-an-Empirical-Study-of-CORS-survey-usenix18"><a href="#We-Still-Don’t-Have-Secure-Cross-Domain-Requests-an-Empirical-Study-of-CORS-survey-usenix18" class="headerlink" title="We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS (survey), usenix18"></a>We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS (survey), usenix18</h2><p>开发者提出一些解决方法（比如JSONP）来绕过同源策略，这些方法同时引入了安全问题，CORS是一种更加规范的机制，但是本文通过实证研究发现，CORS的设计和部署受到许多新的安全问题影响：1）CORS放宽了跨域写权限2）开发人员不了解CORS导致错误配置。</p>
<h1 id="Android"><a href="#Android" class="headerlink" title="Android"></a>Android</h1><h2 id="Time-Does-Not-Heal-All-Wounds-A-Longitudinal-Analysis-of-Security-Mechanism-Support-in-Mobile-Browsers-suvery-ndss19"><a href="#Time-Does-Not-Heal-All-Wounds-A-Longitudinal-Analysis-of-Security-Mechanism-Support-in-Mobile-Browsers-suvery-ndss19" class="headerlink" title="Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers (suvery), ndss19"></a>Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers (suvery), ndss19</h2><p>本文发现web应用存在的问题仍然会在Android中出现，但是很多移动端浏览器并没有遵从安全准则（HTTP Header）。</p>
<p>被调查的HTTP Header：</p>
<p><img src="/学术-学术圈2014-2019Web安全方向研究情况/1547798650411.png" alt="1547798650411"></p>
<h2 id="Understanding-Open-Ports-in-Android-Applications-Discovery-Diagnosis-and-Security-Assessment-ndss19"><a href="#Understanding-Open-Ports-in-Android-Applications-Discovery-Diagnosis-and-Security-Assessment-ndss19" class="headerlink" title="Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment, ndss19"></a>Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment, ndss19</h2><p>本文通过众包方式了解到Android应用程序中开放端口的普及度为15.3%；本文还开发了一种新的静态诊断工具，显示61.8%的开放端口应用程序完全是由嵌入式sdk开发的，20.7%的应用程序使用了不安全的API。我们得出关于端口安全的三个结论：（1）脆弱性分析显示了以Instagram，SamsungGear，Skype，和FacebookSDK为首的5种脆弱的模式；（2）众包显示了224个蜂窝网络和2181个WiFi模式；（3）关于对端口进行DoS攻击的实验性演示</p>
<h2 id="FlowCog-Context-aware-Semantics-Extraction-and-Analysis-of-Information-Flow-Leaks-in-Android-Apps-usenix18"><a href="#FlowCog-Context-aware-Semantics-Extraction-and-Analysis-of-Information-Flow-Leaks-in-Android-Apps-usenix18" class="headerlink" title="FlowCog: Context-aware Semantics Extraction and Analysis of Information Flow Leaks in Android Apps, usenix18"></a>FlowCog: Context-aware Semantics Extraction and Analysis of Information Flow Leaks in Android Apps, usenix18</h2><p>Android访问私人信息是否合法取决于应用是否向用户提供了足够的解释，FlowCog从Android视图中抽取相关的语义，再用NLP方法推断语义与给定流是否相关。</p>
<h3 id="相关资料-1"><a href="#相关资料-1" class="headerlink" title="相关资料"></a>相关资料</h3><ul>
<li>https: //github.com/SocietyMaster/FlowCog. </li>
</ul>
<h2 id="Study-and-Mitigation-of-Origin-Stripping-Vulnerabilities-in-Hybrid-postMessage-Enabled-Mobile-Applications-S-amp-P18"><a href="#Study-and-Mitigation-of-Origin-Stripping-Vulnerabilities-in-Hybrid-postMessage-Enabled-Mobile-Applications-S-amp-P18" class="headerlink" title="Study and Mitigation of Origin Stripping Vulnerabilities in Hybrid-postMessage Enabled Mobile Applications, S&amp;P18"></a>Study and Mitigation of Origin Stripping Vulnerabilities in Hybrid-postMessage Enabled Mobile Applications, S&amp;P18</h2><p>web app通过post进行跨域请求，安卓的混合应用也会使用这些技术，它拓展了postMessage（我们称为“hybird postMessage”，同时也引入了新的问题——origin stripping vulnerability。本文中我们设计了一个工具来检测这问题。</p>
<h2 id="Mobile-Application-Web-API-Reconnaissance-Web-to-Mobile-Inconsistencies-amp-Vulnerabilities-S-amp-P18"><a href="#Mobile-Application-Web-API-Reconnaissance-Web-to-Mobile-Inconsistencies-amp-Vulnerabilities-S-amp-P18" class="headerlink" title="Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies &amp; Vulnerabilities, S&amp;P18**"></a>Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies &amp; Vulnerabilities, S&amp;P18**</h2><p>为了节约算力，很多webAPI的验证工作会在移动端进行，但是如果web端不重复验证的话，就会产生不一致的问题，攻击者可以篡改流量来攻击web应用。本文中，我们提出一个工具：WARDroid，它可以自动化的寻找web端和移动端的不一致问题。具体来说，WARDroid静态分析android app中的http通讯模板，接着通过黑盒测试的方法识别不一致性。</p>
<p><strong>Idea: </strong>可不可以做一个web的？因为web的前后端分离也会造成不一致问题(会议上有人提问)。</p>
<h3 id="Extract-Backward"><a href="#Extract-Backward" class="headerlink" title="Extract Backward"></a>Extract Backward</h3><p><img src="/学术-学术圈2014-2019Web安全方向研究情况/1547692426847.png" alt="1547692426847"></p>
<h3 id="HTTP-Request-Templates"><a href="#HTTP-Request-Templates" class="headerlink" title="HTTP Request Templates"></a>HTTP Request Templates</h3><p><img src="/学术-学术圈2014-2019Web安全方向研究情况/1547692490082.png" alt="1547692490082"></p>
<h2 id="Measuring-the-Insecurity-of-Mobile-Deep-Links-of-Android-usenix17"><a href="#Measuring-the-Insecurity-of-Mobile-Deep-Links-of-Android-usenix17" class="headerlink" title="Measuring the Insecurity of Mobile Deep Links of Android, usenix17"></a>Measuring the Insecurity of Mobile Deep Links of Android, usenix17</h2><p>Deep Link是指应用内特殊的URI，它有助于网络到应用的通信，Android推出了两种新方法”App links”和“Intent URLs”用来替换scheme URL，但是没有多少时间，本文调查了2014-2016年google市场的APP，发现新的连接方式并没有带来安全性改善，只有2.2%的应用正确使用了新方法，另外，我们发现了一种新的风险，最后，我们发现了更多的URL劫持的案例。</p>
<h2 id="AUTHSCOPE-Towards-Automatic-Discovery-of-Vulnerable-Authorizations-in-Online-Services-ccs17"><a href="#AUTHSCOPE-Towards-Automatic-Discovery-of-Vulnerable-Authorizations-in-Online-Services-ccs17" class="headerlink" title="AUTHSCOPE: Towards Automatic Discovery of Vulnerable Authorizations in Online Services, ccs17*"></a>AUTHSCOPE: Towards Automatic Discovery of Vulnerable Authorizations in Online Services, ccs17*</h2><p>本文设计AuthScope工具，该工具能够自动执行移动应用程序，并在相应的在线服务中识别出易受攻击的访问控制实现。</p>
<h2 id="Effective-Real-Time-Android-Application-Auditing-S-amp-P14"><a href="#Effective-Real-Time-Android-Application-Auditing-S-amp-P14" class="headerlink" title="Effective Real-Time Android Application Auditing, S&amp;P14"></a>Effective Real-Time Android Application Auditing, S&amp;P14</h2><p>本文设计了一套动态审计工具来检查应用是否存在<strong>数据泄露</strong>问题，降低静态检测的误报率。</p>
<h1 id="Javascript"><a href="#Javascript" class="headerlink" title="Javascript"></a>Javascript</h1><p>js存在的安全问题包含了XSS，因此这里排除了XSS。</p>
<h2 id="CodeAlchemist-Semantics-Aware-Code-Generation-to-Find-Vulnerabilities-in-JavaScript-Engines-ndss19"><a href="#CodeAlchemist-Semantics-Aware-Code-Generation-to-Find-Vulnerabilities-in-JavaScript-Engines-ndss19" class="headerlink" title="CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines, ndss19"></a>CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines, ndss19</h2><p>本文设计了一套js代码生成工具，它可以生成语义和语法上都正确的JavaScript片段，因此可以<strong>用于fuzz来发现JavaScript引擎的漏洞</strong>。具体来说，该工具将种子分解为代码片段，每一个片段用一段约束来标记，这些约束表示它与其他代码块在一起的条件。</p>
<h2 id="SYNODE-Understanding-and-Automatically-Preventing-Injection-Attacks-on-NODE-JS-ndss18"><a href="#SYNODE-Understanding-and-Automatically-Preventing-Injection-Attacks-on-NODE-JS-ndss18" class="headerlink" title="SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS, ndss18"></a>SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS, ndss18</h2><p>本文发现Nodejs的很多模块存在命令注入攻击的问题，因此本文提出了Synode，一种结合静态分析和动态的方法，使开发者安全的使用这些有问题的库。具体来说，Synode静态分析哪些值会传播到API中，并且在安装时修复；动态运行时，它截恶意请求防止他们传递到api中。</p>
<h3 id="相关工作"><a href="#相关工作" class="headerlink" title="相关工作"></a>相关工作</h3><ul>
<li>X. Jin, X. Hu, K. Ying, W. Du, H. Yin, and G. N. Peri. Code injection attacks on HTML5-based mobile apps: Characterization, detection and mitigation. In Conference on Computer and Communications Security, pages 66–77, 2014</li>
<li>P. Saxena, D. Molnar, and B. Livshits. SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications. In CCS, pages 601–614, 2011. </li>
<li>M. Ter Louw and V. N. Venkatakrishnan. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In Sec. and Privacy, pages 331–346, 2009. </li>
<li>S. Guarnieri and B. Livshits. GATEKEEPER: mostly static enforcement of security and reliability policies for JavaScript code. In USENIX Security, pages 151–168, 2009. </li>
</ul>
<h2 id="Thou-Shalt-Not-Depend-on-Me-Analysing-the-Use-of-Outdated-JavaScript-Libraries-on-the-Web-survey-ndss17"><a href="#Thou-Shalt-Not-Depend-on-Me-Analysing-the-Use-of-Outdated-JavaScript-Libraries-on-the-Web-survey-ndss17" class="headerlink" title="Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web (survey), ndss17"></a>Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web (survey), ndss17</h2><p>本文对Alexa有排行的网站镜像进行了调查，发现web开发者会应用很多第三方库（比如jQuery），这些库的旧版本存在漏洞。</p>
<h2 id="The-Unexpected-Dangers-of-Dynamic-JavaScript-survey-usenix15"><a href="#The-Unexpected-Dangers-of-Dynamic-JavaScript-survey-usenix15" class="headerlink" title="The Unexpected Dangers of Dynamic JavaScript (survey), usenix15"></a>The Unexpected Dangers of Dynamic JavaScript (survey), usenix15</h2><p>JS存在XSS等安全性问题，为此本文进行了实证研究了它的影响，并且提出了安全防护方法。</p>
<h2 id="ZigZag-Automatically-Hardening-Web-Applications-Against-Client-side-Validation-Vulnerabilities-usenix15"><a href="#ZigZag-Automatically-Hardening-Web-Applications-Against-Client-side-Validation-Vulnerabilities-usenix15" class="headerlink" title="ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities, usenix15"></a>ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities, usenix15</h2><p>现代网站大量依赖JS，这些JS的客户端验证（client-side validation,CSV）存在脆弱性（实际上是逻辑问题），本文提出了一个检测该类问题的系统ZigZag，它是一个代理，透明的检测用户端代码，并且实时的获取执行状态，从中产生控制流和数据，以此识别与攻击相关的操作。</p>
<h2 id="Hunting-the-Red-Fox-Online-Understanding-and-Detection-of-Mass-Redirect-Script-Injections-S-amp-P14"><a href="#Hunting-the-Red-Fox-Online-Understanding-and-Detection-of-Mass-Redirect-Script-Injections-S-amp-P14" class="headerlink" title="Hunting the Red Fox Online: Understanding and Detection of Mass Redirect-Script Injections, S&amp;P14"></a>Hunting the Red Fox Online: Understanding and Detection of Mass Redirect-Script Injections, S&amp;P14</h2><p>本文开发了工具JsRED，一种用于自动检测<strong>重定向脚本注入</strong>的新技术，它通过比较当前的JS-lib版本和正常的版本差异判断脚本是否被替换。</p>
<h1 id="Access-control"><a href="#Access-control" class="headerlink" title="Access control"></a>Access control</h1><h2 id="FlowWatcher-Defending-against-Data-Disclosure-Vulnerabilities-in-Web-Applications-css15"><a href="#FlowWatcher-Defending-against-Data-Disclosure-Vulnerabilities-in-Web-Applications-css15" class="headerlink" title="FlowWatcher: Defending against Data Disclosure Vulnerabilities in Web Applications, css15"></a>FlowWatcher: Defending against Data Disclosure Vulnerabilities in Web Applications, css15</h2><p>web应用会出现水平越权的问题，由于很多网站的用户访问控制模型类似，因此我们可以布置一个外部代理（nginx端），然后观察用户的所有流量，然后根据预期的访问控制策略规范来侦测未经授权的访问。</p>
<h2 id="MACE-Detecting-Privilege-Escalation-Vulnerabilities-in-Web-Applications-css14"><a href="#MACE-Detecting-Privilege-Escalation-Vulnerabilities-in-Web-Applications-css14" class="headerlink" title="MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications, css14"></a>MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications, css14</h2><p>我们实现了工具MACE，通过访问资源时的上下文不一致性来识别水平特权升级漏洞</p>
<h2 id="Automating-Isolation-and-Least-Privilege-in-Web-Services-S-amp-P14"><a href="#Automating-Isolation-and-Least-Privilege-in-Web-Services-S-amp-P14" class="headerlink" title="Automating Isolation and Least Privilege in Web Services, S&amp;P14"></a>Automating Isolation and Least Privilege in Web Services, S&amp;P14</h2><p>本文设计了一个防止数据未授权读写的系统Passe，它动态地从开发者提供的测试用例分析数据流和控制流，将应用分离成几个模块，并且将模块放入沙盒中运行。另外，我们将Passe嵌入了Django框架中，我们发现它可以正确地分析96%的策略，同时还可以防御XSS攻击。</p>
<h1 id="Survey"><a href="#Survey" class="headerlink" title="Survey"></a>Survey</h1><p>能分类的survey已经分到具体的类型中，这里列出与web相关的其他调查。</p>
<h2 id="Same-Origin-Policy-Evaluation-in-Modern-Browsers-usenix17"><a href="#Same-Origin-Policy-Evaluation-in-Modern-Browsers-usenix17" class="headerlink" title="Same-Origin Policy: Evaluation in Modern Browsers, usenix17"></a>Same-Origin Policy: Evaluation in Modern Browsers, usenix17</h2><p>SOP-DOM是同源策略的自己，它控制主文档和嵌入文档之间的交互，但是没有正式的规范，本文通过实证研究，发现除了Web Origins之外，SOP-DOM授予的访问权限至少取决于三个属性：嵌入元素（EE）的类型，沙箱（浏览器）和CORS属性。</p>
<h2 id="How-the-Web-Tangled-Itself-Uncovering-the-History-of-Client-Side-Web-In-Security-usenix17"><a href="#How-the-Web-Tangled-Itself-Uncovering-the-History-of-Client-Side-Web-In-Security-usenix17" class="headerlink" title="How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security, usenix17"></a>How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security, usenix17</h2><p>本文检查了97-16年的重要网站代码和头信息，以此确定web技术的关键趋势，随后评估与之关联的漏洞，在调查解决他们的安全防御机制。本文发现自2000年以来，JavaScript开始流行，客户端注入的可能性增加，但CSP的部署却没有跟上，另外使用HTTP only cookie的网站更容易遭受XSS。</p>
<h1 id="Fingerprint"><a href="#Fingerprint" class="headerlink" title="Fingerprint"></a>Fingerprint</h1><h2 id="k-fingerprinting-A-Robust-Scalable-Website-Fingerprinting-Technique-fingerprint-usenix16"><a href="#k-fingerprinting-A-Robust-Scalable-Website-Fingerprinting-Technique-fingerprint-usenix16" class="headerlink" title="k-fingerprinting: A Robust Scalable Website Fingerprinting Technique(fingerprint), usenix16"></a>k-fingerprinting: A Robust Scalable Website Fingerprinting Technique(fingerprint), usenix16</h2><p>攻击者可以在tor网络中实施被动攻击比如，指纹识别，本文提出了基于随机森林的网站指纹识别技术，它能抵抗tor和先进的网站指纹识别防御技术。</p>
<h2 id="Cloak-of-Visibility-Detecting-When-Machines-Browse-a-Different-Web-fingerprint-S-amp-P16"><a href="#Cloak-of-Visibility-Detecting-When-Machines-Browse-a-Different-Web-fingerprint-S-amp-P16" class="headerlink" title="Cloak of Visibility: Detecting When Machines Browse a Different Web(fingerprint), S&amp;P16"></a>Cloak of Visibility: Detecting When Machines Browse a Different Web(fingerprint), S&amp;P16</h2><p>恶意网站会使用复杂技术隐藏自身，防止被搜索引擎发现其本质。我们调查了暗网的十大著名技术，并且开发了一种反隐身系统。</p>
<h2 id="JavaScript-Template-Attacks-Automatically-Inferring-Host-Information-for-Targeted-Exploits-fingerprint-ndss19"><a href="#JavaScript-Template-Attacks-Automatically-Inferring-Host-Information-for-Targeted-Exploits-fingerprint-ndss19" class="headerlink" title="JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits(fingerprint), ndss19"></a>JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits(fingerprint), ndss19</h2><p>如今的浏览器会提供匿名功能隐藏信息，而本文提出了一种自动化推断系统信息（包括软件和硬件）的方法，该方法通过JavaScript引擎收集各种数据，再根据这些属性创建模板，如果这个模板的某一属性在各个系统上都不相同则它是一个依赖于环境的属性。</p>
<h1 id="etc"><a href="#etc" class="headerlink" title="etc"></a>etc</h1><h2 id="On-Omitting-Commits-and-Committing-Omissions-Preventing-Git-Metadata-Tampering-That-Re-introduces-Software-Vulnerabilities-git-usenix16"><a href="#On-Omitting-Commits-and-Committing-Omissions-Preventing-Git-Metadata-Tampering-That-Re-introduces-Software-Vulnerabilities-git-usenix16" class="headerlink" title="On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Software Vulnerabilities (git), usenix16"></a>On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Software Vulnerabilities (git), usenix16</h2><p>元数据攻击指针对版本控制系统的攻击方法，它欺骗开发者执行意外操作，比如将未经测试的代码合并到生产分支中，或是包含一致漏洞的组件。本文提出了一种防御方案，通过维护开发人员的加密签名后的日志环节这些攻击。</p>
<h2 id="Automatically-Detecting-Vulnerable-Websites-Before-They-Turn-Malicious-mechine-learning-usenix14"><a href="#Automatically-Detecting-Vulnerable-Websites-Before-They-Turn-Malicious-mechine-learning-usenix14" class="headerlink" title="Automatically Detecting Vulnerable Websites Before They Turn Malicious (mechine learning), usenix14"></a>Automatically Detecting Vulnerable Websites Before They Turn Malicious (mechine learning), usenix14</h2><p>本文使用数据挖掘和机器学习的几种技术，来预测一个给定的、未被侵入的网站是否会变得有问题。</p>
<h2 id="Static-detection-of-asymptotic-resource-side-channel-vulnerabilities-in-web-applications-side-channel-ase17"><a href="#Static-detection-of-asymptotic-resource-side-channel-vulnerabilities-in-web-applications-side-channel-ase17" class="headerlink" title="Static detection of asymptotic resource side-channel vulnerabilities in web applications (side channel), ase17"></a>Static detection of asymptotic resource side-channel vulnerabilities in web applications (side channel), ase17</h2><p>本文开发了一个SCANNER的工具，用于检测PHP应用程序中与资源相关的侧信道泄露漏洞——例如一个关于健康的网站，泄露了病人吃药的时间。</p>
<h2 id="Predicting-Impending-Exposure-to-Malicious-Content-from-User-Behavior-defense-ccs18"><a href="#Predicting-Impending-Exposure-to-Malicious-Content-from-User-Behavior-defense-ccs18" class="headerlink" title="Predicting Impending Exposure to Malicious Content from User Behavior(defense), ccs18"></a>Predicting Impending Exposure to Malicious Content from User Behavior(defense), ccs18</h2><p>本文提出了一种系统，可以再单个浏览会话级别上观察用户行为，从而预测他们是否是攻击型为，已达到提前预防的目的。</p>
<h2 id="Deemon-Detecting-CSRF-with-Dynamic-Analysis-and-Property-Graphs-CSRF-ccs17"><a href="#Deemon-Detecting-CSRF-with-Dynamic-Analysis-and-Property-Graphs-CSRF-ccs17" class="headerlink" title="Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs (CSRF), ccs17"></a>Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs (CSRF), ccs17</h2><p>本文提出检测CSRF的框架，该框架考虑了web应用的执行流程，数据流以及整体架构，构建一个属性图，然后使用图遍历，发觉潜在的CSRF问题。Deemon自动判断web应用的执行环境，接着无监督的产生动态记录，比如网络交互，服务端执行和数据库操作，使用这些记录Deemon构建一个图模型，他表示捕获的状态转换和数据流；接着遍历这个图来发觉http状态变换，这些变换与CSRF流动现骨干。</p>
<h2 id="Attack-Patterns-for-Black-Box-Security-Testing-of-Multi-Party-Web-Applications-SSO-ndss16"><a href="#Attack-Patterns-for-Black-Box-Security-Testing-of-Multi-Party-Web-Applications-SSO-ndss16" class="headerlink" title="Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications(SSO), ndss16*"></a>Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications(SSO), ndss16*</h2><p>我们针对单点登陆(SSO)存在的问题，设计了两种攻击模式CSRF和XSS，并且基于ZAP设计了扫描器，经过实验我们发先它能发现知名网站的安全性问题。</p>
<h2 id="Toward-Black-Box-Detection-of-Logic-Flaws-in-Web-Applications-Logic-Flaws-ndss14"><a href="#Toward-Black-Box-Detection-of-Logic-Flaws-in-Web-Applications-Logic-Flaws-ndss14" class="headerlink" title="Toward Black-Box Detection of Logic Flaws in Web Applications (Logic Flaws), ndss14"></a>Toward Black-Box Detection of Logic Flaws in Web Applications (Logic Flaws), ndss14</h2><p>由于缺失文档，判断逻辑漏洞十分困难，现有的工具需要调查源代码或是只适用于小规模应用，而我们利用用户产生的流量产生一个行为序列，接着重用这个序列判断网站是否存在问题。</p>

    </div>

    
    
    
        
      
        

<div>
<ul class="post-copyright">
  <li class="post-copyright-author">
    <strong>本文作者： </strong>Anemone</li>
  <li class="post-copyright-link">
    <strong>本文链接：</strong>
    <a href="http://anemone.top/学术-学术圈2014-2019Web安全方向研究情况/" title="2014-2019Web安全研究方向调查报告">http://anemone.top/学术-学术圈2014-2019Web安全方向研究情况/</a>
  </li>
  <li class="post-copyright-license">
    <strong>版权声明： </strong>本博客所有文章除特别声明外，均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/deed.zh" rel="noopener" target="_blank"><i class="fa fa-fw fa-creative-commons"></i>BY-NC-SA</a> 许可协议。转载请注明出处！</li>
</ul>
</div>

      

      <footer class="post-footer">
          
            
          
          <div class="post-tags">
            
              <a href="/tags/Web安全/" rel="tag"># Web安全</a>
            
              <a href="/tags/学术/" rel="tag"># 学术</a>
            
          </div>
        

        

          <div class="post-nav">
            <div class="post-nav-next post-nav-item">
              
                <a href="/组件-容器上传绕过总结/" rel="next" title="容器上传绕过总结">
                  <i class="fa fa-chevron-left"></i> 容器上传绕过总结
                </a>
              
            </div>

            <span class="post-nav-divider"></span>

            <div class="post-nav-prev post-nav-item">
              
                <a href="/java-java动态代理学习笔记/" rel="prev" title="java动态代理学习笔记">
                  java动态代理学习笔记 <i class="fa fa-chevron-right"></i>
                </a>
              
            </div>
          </div>
        
      </footer>
    
  </div>
  
  
  
  </article>

  </div>


          </div>
          
    
    <div class="comments" id="gitalk-container"></div>
  

        </div>
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">
        
        
        
        
      

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#About"><span class="nav-number">1.</span> <span class="nav-text">About</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#XSS"><span class="nav-number">2.</span> <span class="nav-text">XSS</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#Don’t-Trust-The-Locals-Investigating-the-Prevalence-of-Persistent-Client-Side-Cross-Site-Scripting-in-the-Wild-ndss19"><span class="nav-number">2.1.</span> <span class="nav-text">Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild, ndss19*</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Riding-out-DOMsday-Towards-Detecting-and-Preventing-DOM-Cross-Site-Scripting-ndss18"><span class="nav-number">2.2.</span> <span class="nav-text">Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting, ndss18*</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#什么是DOM型XSS："><span class="nav-number">2.2.1.</span> <span class="nav-text">什么是DOM型XSS：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#怎么防御："><span class="nav-number">2.2.2.</span> <span class="nav-text">怎么防御：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#方法"><span class="nav-number">2.2.3.</span> <span class="nav-text">方法</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#实验结果"><span class="nav-number">2.2.4.</span> <span class="nav-text">实验结果</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#相关链接"><span class="nav-number">2.2.5.</span> <span class="nav-text">相关链接</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Precise-Client-side-Protection-against-DOM-based-Cross-Site-Scripting-usenix14"><span class="nav-number">2.3.</span> <span class="nav-text">Precise Client-side Protection against DOM-based Cross-Site Scripting, usenix14</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Static-Detection-of-Second-Order-Vulnerabilities-in-Web-Applications-usenix14"><span class="nav-number">2.4.</span> <span class="nav-text">Static Detection of Second-Order Vulnerabilities in Web Applications, usenix14</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#EXP-Generation"><span class="nav-number">3.</span> <span class="nav-text">EXP Generation</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#NAVEX-Precise-and-Scalable-Exploit-Generation-for-Dynamic-Web-Applications-usenix18"><span class="nav-number">3.1.</span> <span class="nav-text">NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications, usenix18*</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#相关资料"><span class="nav-number">3.1.1.</span> <span class="nav-text">相关资料</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Chainsaw-Chained-Automated-Workflow-based-Exploit-Generation-ccs16"><span class="nav-number">3.2.</span> <span class="nav-text">Chainsaw: Chained Automated Workflow-based Exploit Generation, ccs16*</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#DoS"><span class="nav-number">4.</span> <span class="nav-text">DoS</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#Rampart-protecting-web-applications-from-CPU-exhaustion-denial-of-service-attacks-defend-usenix18"><span class="nav-number">4.1.</span> <span class="nav-text">Rampart: protecting web applications from CPU-exhaustion denial-of-service attacks(defend), usenix18</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Tail-Attacks-on-Web-Applications-ccs17"><span class="nav-number">4.2.</span> <span class="nav-text">Tail Attacks on Web Applications, ccs17</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Freezing-the-Web-A-Study-of-ReDoS-Vulnerabilities-in-JavaScript-based-Web-Servers-usenix18"><span class="nav-number">4.3.</span> <span class="nav-text">Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers, usenix18</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#The-impact-of-regular-expression-denial-of-service-ReDoS-in-practice-an-empirical-study-at-the-ecosystem-scale-survey-fse18"><span class="nav-number">4.4.</span> <span class="nav-text">The impact of regular expression denial of service (ReDoS) in practice: an empirical study at the ecosystem scale(survey), fse18</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#ReScue-crafting-regular-expression-DoS-attacks-ase18"><span class="nav-number">4.5.</span> <span class="nav-text">ReScue: crafting regular expression DoS attacks, ase18</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#Cookie"><span class="nav-number">5.</span> <span class="nav-text">Cookie</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#Who-left-open-the-cookie-jar-a-comprehensive-evaluation-of-third-party-cookie-policies-survey-usenix18"><span class="nav-number">5.1.</span> <span class="nav-text">Who left open the cookie jar? a comprehensive evaluation of third-party cookie policies (survey), usenix18</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Cookies-Lack-Integrity-Real-World-Implications-survey-usenix15"><span class="nav-number">5.2.</span> <span class="nav-text">Cookies Lack Integrity: Real-World Implications (survey), usenix15</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#The-Cracked-Cookie-Jar-HTTP-Cookie-Hijacking-and-the-Exposure-of-Private-Information-survey-S-amp-P16"><span class="nav-number">5.3.</span> <span class="nav-text">The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information (survey), S&amp;P16</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#CSP"><span class="nav-number">6.</span> <span class="nav-text">CSP</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#CCSP-Controlled-Relaxation-of-Content-Security-Policies-by-Runtime-Policy-Composition-defense-usenix17"><span class="nav-number">6.1.</span> <span class="nav-text">CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition (defense), usenix17</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#CSPAutoGen-Black-box-Enforcement-of-Content-Security-Policy-upon-Real-world-Websites-defense-ccs16"><span class="nav-number">6.2.</span> <span class="nav-text">CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites (defense), ccs16</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#CORS"><span class="nav-number">7.</span> <span class="nav-text">CORS</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#We-Still-Don’t-Have-Secure-Cross-Domain-Requests-an-Empirical-Study-of-CORS-survey-usenix18"><span class="nav-number">7.1.</span> <span class="nav-text">We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS (survey), usenix18</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#Android"><span class="nav-number">8.</span> <span class="nav-text">Android</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#Time-Does-Not-Heal-All-Wounds-A-Longitudinal-Analysis-of-Security-Mechanism-Support-in-Mobile-Browsers-suvery-ndss19"><span class="nav-number">8.1.</span> <span class="nav-text">Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers (suvery), ndss19</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Understanding-Open-Ports-in-Android-Applications-Discovery-Diagnosis-and-Security-Assessment-ndss19"><span class="nav-number">8.2.</span> <span class="nav-text">Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment, ndss19</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#FlowCog-Context-aware-Semantics-Extraction-and-Analysis-of-Information-Flow-Leaks-in-Android-Apps-usenix18"><span class="nav-number">8.3.</span> <span class="nav-text">FlowCog: Context-aware Semantics Extraction and Analysis of Information Flow Leaks in Android Apps, usenix18</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#相关资料-1"><span class="nav-number">8.3.1.</span> <span class="nav-text">相关资料</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Study-and-Mitigation-of-Origin-Stripping-Vulnerabilities-in-Hybrid-postMessage-Enabled-Mobile-Applications-S-amp-P18"><span class="nav-number">8.4.</span> <span class="nav-text">Study and Mitigation of Origin Stripping Vulnerabilities in Hybrid-postMessage Enabled Mobile Applications, S&amp;P18</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Mobile-Application-Web-API-Reconnaissance-Web-to-Mobile-Inconsistencies-amp-Vulnerabilities-S-amp-P18"><span class="nav-number">8.5.</span> <span class="nav-text">Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies &amp; Vulnerabilities, S&amp;P18**</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#Extract-Backward"><span class="nav-number">8.5.1.</span> <span class="nav-text">Extract Backward</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#HTTP-Request-Templates"><span class="nav-number">8.5.2.</span> <span class="nav-text">HTTP Request Templates</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Measuring-the-Insecurity-of-Mobile-Deep-Links-of-Android-usenix17"><span class="nav-number">8.6.</span> <span class="nav-text">Measuring the Insecurity of Mobile Deep Links of Android, usenix17</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#AUTHSCOPE-Towards-Automatic-Discovery-of-Vulnerable-Authorizations-in-Online-Services-ccs17"><span class="nav-number">8.7.</span> <span class="nav-text">AUTHSCOPE: Towards Automatic Discovery of Vulnerable Authorizations in Online Services, ccs17*</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Effective-Real-Time-Android-Application-Auditing-S-amp-P14"><span class="nav-number">8.8.</span> <span class="nav-text">Effective Real-Time Android Application Auditing, S&amp;P14</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#Javascript"><span class="nav-number">9.</span> <span class="nav-text">Javascript</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#CodeAlchemist-Semantics-Aware-Code-Generation-to-Find-Vulnerabilities-in-JavaScript-Engines-ndss19"><span class="nav-number">9.1.</span> <span class="nav-text">CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines, ndss19</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#SYNODE-Understanding-and-Automatically-Preventing-Injection-Attacks-on-NODE-JS-ndss18"><span class="nav-number">9.2.</span> <span class="nav-text">SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS, ndss18</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#相关工作"><span class="nav-number">9.2.1.</span> <span class="nav-text">相关工作</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Thou-Shalt-Not-Depend-on-Me-Analysing-the-Use-of-Outdated-JavaScript-Libraries-on-the-Web-survey-ndss17"><span class="nav-number">9.3.</span> <span class="nav-text">Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web (survey), ndss17</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#The-Unexpected-Dangers-of-Dynamic-JavaScript-survey-usenix15"><span class="nav-number">9.4.</span> <span class="nav-text">The Unexpected Dangers of Dynamic JavaScript (survey), usenix15</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#ZigZag-Automatically-Hardening-Web-Applications-Against-Client-side-Validation-Vulnerabilities-usenix15"><span class="nav-number">9.5.</span> <span class="nav-text">ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities, usenix15</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Hunting-the-Red-Fox-Online-Understanding-and-Detection-of-Mass-Redirect-Script-Injections-S-amp-P14"><span class="nav-number">9.6.</span> <span class="nav-text">Hunting the Red Fox Online: Understanding and Detection of Mass Redirect-Script Injections, S&amp;P14</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#Access-control"><span class="nav-number">10.</span> <span class="nav-text">Access control</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#FlowWatcher-Defending-against-Data-Disclosure-Vulnerabilities-in-Web-Applications-css15"><span class="nav-number">10.1.</span> <span class="nav-text">FlowWatcher: Defending against Data Disclosure Vulnerabilities in Web Applications, css15</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#MACE-Detecting-Privilege-Escalation-Vulnerabilities-in-Web-Applications-css14"><span class="nav-number">10.2.</span> <span class="nav-text">MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications, css14</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Automating-Isolation-and-Least-Privilege-in-Web-Services-S-amp-P14"><span class="nav-number">10.3.</span> <span class="nav-text">Automating Isolation and Least Privilege in Web Services, S&amp;P14</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#Survey"><span class="nav-number">11.</span> <span class="nav-text">Survey</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#Same-Origin-Policy-Evaluation-in-Modern-Browsers-usenix17"><span class="nav-number">11.1.</span> <span class="nav-text">Same-Origin Policy: Evaluation in Modern Browsers, usenix17</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#How-the-Web-Tangled-Itself-Uncovering-the-History-of-Client-Side-Web-In-Security-usenix17"><span class="nav-number">11.2.</span> <span class="nav-text">How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security, usenix17</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#Fingerprint"><span class="nav-number">12.</span> <span class="nav-text">Fingerprint</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#k-fingerprinting-A-Robust-Scalable-Website-Fingerprinting-Technique-fingerprint-usenix16"><span class="nav-number">12.1.</span> <span class="nav-text">k-fingerprinting: A Robust Scalable Website Fingerprinting Technique(fingerprint), usenix16</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Cloak-of-Visibility-Detecting-When-Machines-Browse-a-Different-Web-fingerprint-S-amp-P16"><span class="nav-number">12.2.</span> <span class="nav-text">Cloak of Visibility: Detecting When Machines Browse a Different Web(fingerprint), S&amp;P16</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#JavaScript-Template-Attacks-Automatically-Inferring-Host-Information-for-Targeted-Exploits-fingerprint-ndss19"><span class="nav-number">12.3.</span> <span class="nav-text">JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits(fingerprint), ndss19</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#etc"><span class="nav-number">13.</span> <span class="nav-text">etc</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#On-Omitting-Commits-and-Committing-Omissions-Preventing-Git-Metadata-Tampering-That-Re-introduces-Software-Vulnerabilities-git-usenix16"><span class="nav-number">13.1.</span> <span class="nav-text">On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Software Vulnerabilities (git), usenix16</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Automatically-Detecting-Vulnerable-Websites-Before-They-Turn-Malicious-mechine-learning-usenix14"><span class="nav-number">13.2.</span> <span class="nav-text">Automatically Detecting Vulnerable Websites Before They Turn Malicious (mechine learning), usenix14</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Static-detection-of-asymptotic-resource-side-channel-vulnerabilities-in-web-applications-side-channel-ase17"><span class="nav-number">13.3.</span> <span class="nav-text">Static detection of asymptotic resource side-channel vulnerabilities in web applications (side channel), ase17</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Predicting-Impending-Exposure-to-Malicious-Content-from-User-Behavior-defense-ccs18"><span class="nav-number">13.4.</span> <span class="nav-text">Predicting Impending Exposure to Malicious Content from User Behavior(defense), ccs18</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Deemon-Detecting-CSRF-with-Dynamic-Analysis-and-Property-Graphs-CSRF-ccs17"><span class="nav-number">13.5.</span> <span class="nav-text">Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs (CSRF), ccs17</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Attack-Patterns-for-Black-Box-Security-Testing-of-Multi-Party-Web-Applications-SSO-ndss16"><span class="nav-number">13.6.</span> <span class="nav-text">Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications(SSO), ndss16*</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Toward-Black-Box-Detection-of-Logic-Flaws-in-Web-Applications-Logic-Flaws-ndss14"><span class="nav-number">13.7.</span> <span class="nav-text">Toward Black-Box Detection of Logic Flaws in Web Applications (Logic Flaws), ndss14</span></a></li></ol></li></ol></div>
        
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image"
      src="/images/avatar.jpg"
      alt="Anemone">
  <p class="site-author-name" itemprop="name">Anemone</p>
  <div class="site-description" itemprop="description">关注Web安全、移动安全、Fuzz测试和机器学习</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
        
          <a href="/archives/">
        
          <span class="site-state-item-count">52</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
    
      
      
      <div class="site-state-item site-state-categories">
        
          
            <a href="/categories/">
          
        
        <span class="site-state-item-count">29</span>
        <span class="site-state-item-name">分类</span>
        </a>
      </div>
    
      
      
      <div class="site-state-item site-state-tags">
        
          
            <a href="/tags/">
          
        
        <span class="site-state-item-count">71</span>
        <span class="site-state-item-name">标签</span>
        </a>
      </div>
    
  </nav>
</div>
  <div class="feed-link motion-element">
    <a href="/atom.xml" rel="alternate">
      <i class="fa fa-rss"></i>RSS
    </a>
  </div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
      
      
        
      
      
        
      
        <a href="https://github.com/anemone95" title="GitHub &rarr; https://github.com/anemone95" rel="noopener" target="_blank"><i class="fa fa-fw fa-github"></i>GitHub</a>
      </span>
    
      <span class="links-of-author-item">
      
      
        
      
      
        
      
        <a href="mailto:anemone95@qq.com" title="E-Mail &rarr; mailto:anemone95@qq.com" rel="noopener" target="_blank"><i class="fa fa-fw fa-envelope"></i>E-Mail</a>
      </span>
    
  </div>
  <div class="cc-license motion-element" itemprop="license">
    
  
    <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/deed.zh" class="cc-opacity" rel="noopener" target="_blank"><img src="/images/cc-by-nc-sa.svg" alt="Creative Commons"></a>
  </div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; 2018 – <span itemprop="copyrightYear">2020</span>
  <span class="with-love" id="animate">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">anemone</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io" class="theme-link" rel="noopener" target="_blank">Hexo</a> 强力驱动 v3.9.0</div>
  <span class="post-meta-divider">|</span>
  <div class="theme-info">主题 – <a href="https://theme-next.org" class="theme-link" rel="noopener" target="_blank">NexT.Pisces</a> v7.4.0</div>

        






  
  <script>
  function leancloudSelector(url) {
    return document.getElementById(url).querySelector('.leancloud-visitors-count');
  }
  if (CONFIG.page.isPost) {
    function addCount(Counter) {
      var visitors = document.querySelector('.leancloud_visitors');
      var url = visitors.getAttribute('id').trim();
      var title = visitors.getAttribute('data-flag-title').trim();

      Counter('get', `/classes/Counter?where=${JSON.stringify({ url })}`)
        .then(response => response.json())
        .then(({ results }) => {
          if (results.length > 0) {
            var counter = results[0];
            Counter('put', '/classes/Counter/' + counter.objectId, { time: { '__op': 'Increment', 'amount': 1 } })
              .then(response => response.json())
              .then(() => {
                leancloudSelector(url).innerText = counter.time + 1;
              })
            
              .catch(error => {
                console.log('Failed to save visitor count', error);
              })
          } else {
              Counter('post', '/classes/Counter', { title: title, url: url, time: 1 })
                .then(response => response.json())
                .then(() => {
                  leancloudSelector(url).innerText = 1;
                })
                .catch(error => {
                  console.log('Failed to create', error);
                });
            
          }
        })
        .catch(error => {
          console.log('LeanCloud Counter Error', error);
        });
    }
  } else {
    function showTime(Counter) {
      var visitors = document.querySelectorAll('.leancloud_visitors');
      var entries = [...visitors].map(element => {
        return element.getAttribute('id').trim();
      });

      Counter('get', `/classes/Counter?where=${JSON.stringify({ url: { '$in': entries } })}`)
        .then(response => response.json())
        .then(({ results }) => {
          if (results.length === 0) {
            document.querySelectorAll('.leancloud_visitors .leancloud-visitors-count').forEach(element => {
              element.innerText = 0;
            });
            return;
          }
          for (var i = 0; i < results.length; i++) {
            var item = results[i];
            var url = item.url;
            var time = item.time;
            leancloudSelector(url).innerText = time;
          }
          for (var i = 0; i < entries.length; i++) {
            var url = entries[i];
            var element = leancloudSelector(url);
            if (element.innerText == '') {
              element.innerText = 0;
            }
          }
        })
        .catch(error => {
          console.log('LeanCloud Counter Error', error);
        });
    }
  }

  fetch('https://app-router.leancloud.cn/2/route?appId=o5UaCJdPfEG0g7MVxXSMagpT-gzGzoHsz')
    .then(response => response.json())
    .then(({ api_server }) => {
      var Counter = (method, url, data) => {
        return fetch(`https://${api_server}/1.1${url}`, {
          method: method,
          headers: {
            'X-LC-Id': 'o5UaCJdPfEG0g7MVxXSMagpT-gzGzoHsz',
            'X-LC-Key': 'c6IN1PuMV3QPltJcrHfn74Gt',
            'Content-Type': 'application/json',
          },
          body: JSON.stringify(data)
        });
      };
      if (CONFIG.page.isPost) {
        const localhost = /http:\/\/(localhost|127.0.0.1|0.0.0.0)/;
        if (localhost.test(document.URL)) return;
        addCount(Counter);
      } else if (document.querySelectorAll('.post-title-link').length >= 1) {
        showTime(Counter);
      }
    });
  </script>






        
      </div>
    </footer>
  </div>

  
  <script src="//cdn.jsdelivr.net/npm/animejs@3.1.0/lib/anime.min.js"></script>
  <script src="https://cdn.bootcss.com/velocity/1.2.1/velocity.min.js"></script>
  <script src="https://cdn.bootcss.com/velocity/1.2.1/velocity.ui.js"></script>
<script src="/js/utils.js?v=7.4.0"></script><script src="/js/motion.js?v=7.4.0"></script>
<script src="/js/schemes/pisces.js?v=7.4.0"></script>
<script src="/js/next-boot.js?v=7.4.0"></script>



  
  <script>
    (function(){
      var bp = document.createElement('script');
      var curProtocol = window.location.protocol.split(':')[0];
      bp.src = (curProtocol === 'https') ? 'https://zz.bdstatic.com/linksubmit/push.js' : 'http://push.zhanzhang.baidu.com/push.js';
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(bp, s);
    })();
  </script>








  <script src="/js/local-search.js?v=7.4.0"></script>










<script>
if (document.querySelectorAll('pre.mermaid').length) {
  NexT.utils.getScript('//cdn.bootcss.com/mermaid/8.2.6/mermaid.min.js', () => {
    mermaid.initialize({
      theme: 'forest',
      logLevel: 3,
      flowchart: { curve: 'linear' },
      gantt: { axisFormat: '%m/%d/%Y' },
      sequence: { actorMargin: 50 }
    });
  }, window.mermaid);
}
</script>




  

  

  

  

<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/gitalk@1/dist/gitalk.min.css">

<script>
  NexT.utils.getScript('//cdn.jsdelivr.net/npm/gitalk@1/dist/gitalk.min.js', () => {
    var gitalk = new Gitalk({
      clientID: 'f3075553d7b0225df6ca',
      clientSecret: '68362ba87c4cc8e13103afcf729f5bd8ea176a78',
      repo: 'anemone95.github.io',
      owner: 'Anemone95',
      admin: ['Anemone95'],
      id: '2418230b17a28bffeda1735712b48163',
        language: window.navigator.language || window.navigator.userLanguage,
      
      distractionFreeMode: 'true'
    });
    gitalk.render('gitalk-container');
  }, window.Gitalk);
</script>

</body>
</html>
